Comercial City Fresko is a Mexican holding company of hypermarkets headquartered in Mexico City. It operates the hypermarkets La Comer, City Market, Fresko and Sumesa, which have a strong presence in Mexico City, State Of Mexico and other areas mostly in the Central and Bajio region of the country.
Comercial City Fresko processes up to 30 m POS card transaction every year on ACI’s BASE24 Classic system. Comercial City Fresko’s ability to provide reliable, secure and cost-effective transaction processing services to its hypermarkets is a critical success factor.
Since City Fresko’s central ACI BASE24 authorization system must be up and running 24/7 to process the POS transactions from its hypermarkets such as La Comer, Fresko, and Sumesa, the key challenge was to implement a data protection solution that avoids changes to the existing applications while offering a robust security layer to protect the data at rest in City Fresko’s enterprise systems.
The main driver for City Fresko to implement a reliable data protection solution was to achieve compliance with PCI-DSS regulations, which requires that cardholder data (PAN) must be rendered unreadable wherever it is stored. The solution needed to work with ACI BASE24 on HPE NonStop servers and had to be implemented in less than 6 months to meet a PCI-DSS audit deadline.
Non-compliance would result in regulatory fines from acquiring banks and an increase in interchange fees, not to mention the reputational damage of the brands in case of a data breach.
- Runs hypermarkets La Comer, City Market, Fresko and Sumesa in Mexico
- POS network acquirer processing up to 30 m transactions per year using ACI BASE24
- Now compliant with PCI- DSS requirements
- Highly flexible and scalable solution implemented quickly and easily
- Achieve PCI-DSS compliance within 6 months
- Avoid regulatory fines and increased interchange fees in case of non-compliance
- Minimize the risk of data breaches and potential fraud
- Avoid negative impact on customer experience
- Keep project duration & cost to a minimum
Given the complex POS network configuration and the high level of service that customers expect, City Fresko set very high standards for the solution protecting the cardholder data that they manage:
- The solution needs to run on HPE NonStop systems and ACI BASE24 environments
- Robust algorithm to replace parts of the PAN with tokens that are of no use to hackers
- A secure vault using dual control that stores the relationship between tokens and PANs
- Easy implementation avoiding changes to existing applications, which was a crucial characteristic to select the solution
- Effective authentication of users to prevent fraudulent use of unprotected data by insiders and third parties.
City Fresko chose SecurDPS from comforte because it fulfilled all of the above requirements and more. It was easy to implement in its complex IT environment without any changes to source code or downtime, it properly secured cardholder data in accordance with PCI-DSS requirements, and it is a scalable, enterprise-wide solution that can later be expanded to other systems in the organization.
SecurDPS reduces business risk as it replaces in-the-clear sensitive data with a token value that is meaningless if it is exposed. A data-centric security strategy protects the data itself so that even if all other security measures fail, the data at the core will still not be exploitable. This also fulfils the PCI- DSS requirements for no sensitive data on core enterprise components. Furthermore, tokenized data is protected from accidental exposure to unauthorized insiders and third-party vendors as it can only be accessed with proper authorization. This helps reduce dependency on compensating controls as a temporary measure to pass security audits and fulfils the PCI-DSS requirements that sensitive data
Figure 1: Tokenization at City Fresko
The benefits of this project go beyond fulfilling PCI-DSS requirements for data protection. In the unlikely event of a data breach, all sensitive data will be unreadable and have no exploitable value to hackers, which significantly reduces the impact of a potential breach.
Furthermore, the tokenized data gives the organization complete control over their sensitive data, which minimizes future compliance cost and reduces the risk of damaging data breaches.
Last but not least, the successful PCI-DSS re-certification strengthens City Fresko’s reputation as a reliable and responsible partner who can effectively protect sensitive customer data.
“Both the tokenization solution, as well as the services provided by comforte’s specialists, were fundamental to deliver a successful project. comforte’s experience in implement-tations of this kind was noticed at all times, and also their ability to cater for the specific needs that clients like us usually have trying to comply with PCI-DSS regulations.”
– Production and Support Director, Humberto Padilla Loza